Router vendors are rapidly responding to the fact that hackers are turning their dastardly attentions to the internetworking devices that manage the Internet's data traffic flow.
The Internet's sprawling infrastructure was not fundamentally designed or interconnected with security in mind. The flexibility that helps disparate computer networks interconnect by a common set of protocols and standards also provides opportunities for malevolent agents to gain unauthorised access to network devices – and cause some serious mischief.
E&T has previously looked at the growing concerns around the possibility to not only hack individual Internet servers and end-point computers, but also to break into internetworking devices – called routers – that link the structure of the Internet itself – so what are the router vendors doing to counter the threats?
Routers are hardware devices of various size and capacity that perform the 'traffic directing' functions on the Internet. A standard definition of a router is a 'device that forwards data packets (or 'datagrams') between computer networks'. This creates an overlay internetwork, as a router is connected to two or more connections (or 'data lines') from different networks.
When a data packet arrives from one of the lines, the router reads its to/from address information (or 'header') to determine its ultimate destination. Using information in its routing table (or routing policy), the router then directs the packet forward to the next network – the network of networks, or 'internetwork' – on its 'journey' until it gets to its destination node. Routers perform several other advanced functions that ensure the efficiency and robustness of the internetwork.
Router products fall into several general categories or class of product. At the top end there are what's usually called 'carrier class' platforms: these are the ultra-high-performance 'big iron' boxes used by network operators that own the backbone networks – the super-highways of the internetwork infrastructure – and are found in the main data centres of the major telcos and international Internet exchanges.
The 'enterprise class' routers are found in data centres, but can also be installed in large premises for trafficking data around private networks. Small 'local' or 'branch office' routers can now include the Wi-Fi devices common to small offices, and security vulnerabilities have been found in these devices. However, it is the higher-end routers that are being targeted by hackers bent on bringing down the Internet itself.
Network router manufacturers tend – understandably – to be relatively tight-lipped about the innate security of their product technology (which includes a lot of software and software management functionality) if it pitted against determined hacker subversion. Enhanced router security is now proving an integral bulwark in the added defence of the Internet.
An added complication is that there is thought to be a lot of 'legacy' networking equipment still in operation – routers are often 'bypassed' by newer kit, rather than decommissioned and swapped out – and some of that internetworking device 'estate' is bound to have been installed before current cyber-security issues had fully emerged.
Old internetworking kit, though still functional, may not be as well-supported in terms of patch remedies as newer products; indeed, as much networking equipment is sold via value-added resellers and network integrators, the original supplier may not even be in business anymore. Websites such as Shodun have gone some way to highlighting this problem to the wider IT practitioner community.
The primary motive for trying to hack a router is to mount a distributed denial of service (DDoS) attack – an attempt to make the targeted device unavailable to its users and administrators. Hackers may also be interested in investigating the possibility of nabbing network traffic as it passes through the router. The revelations that emerged from the Edward Snowden disclosures have also highlighted how powerful national agencies are interested in penertrating network communications devices to intercept and 'syphon off' traffic for surveillance operations.
Router vendors are now more aware of security issues than they were a few years ago, and they are taking rapid steps to address the challenges. To assess some of these challenges from the vendors' perspective, and to glean a better understanding of how the industry is addressing the issues around router cyber security, E&T looks at five of the market leaders – Alcatel-Lucent, Brocade, Cisco, Huawei and Juniper Networks, to find out how things stand.
Alcatel-Lucent: photonic futures
Unlike some of its rivals, Alcatel-Lucent has identified a significant increase in attacks on networking hardware devices, and admits this is partly the fault of the vendors themselves. "It is evident that the Black Hat community has shifted its interest from attacking single systems to attacking the Internet infrastructure," says Roberto Di Pietro, head of cyber security research, Alcatel-Lucent Bell Labs France.
He adds: "While end-user security has improved considerably over the last few years, infrastructure security has not responded with the same flexibility to this increased level of threat."
Alcatel-Lucent has increased its investment in infrastructure security, Di Pietro reports, while also recognising that routers are vulnerable to physical attacks. "In general, routers can be threatened by flaws in the communication protocols or in their implementation, flaws in the router control management and router physical security," Di Pietro explains. "Among these threats, router physical security is probably the most neglected one by the industrial and research community."
This, of course, is not always in the gift of the vendor, but Alcatel-Lucent now goes to more trouble to emphasise the importance of protecting routers from hackers and other malevolent agents. One key point is that routers are often located in less secure parts of buildings than servers or client systems, having in the past been considered less critical than servers, say.
Yet anyone with physical access can perform a password reset, and then run riot over that router's configuration causing all manner of problems. Even if it is not a core router that's attacked, there is the potential for bringing the network down by poisoning the routing tables on all routers (router tables are data tables stored in a router, or sometimes a networked computer, that list the routes to particular network destinations and, in some cases, distances associated with those routes).
Alcatel-Lucent has also identified the emerging Internet of Things (IoT) as a threat by creating a new generation of IP-connected devices. Associated with that, the ongoing migration from IPv4 to IPv6, with its vastly bigger address space, is itself creating new vulnerabilities, the company says.
A side-effect of the use of NAT (Network Address Translation) to get round the shortage of IPv4 addresses by reusing them internally within enterprises behind firewalls was to provide a layer of protection against outside attacks.
With IPv6 this invisible curtain is removed, and Alcatel-Lucent believes vendors have a responsibility to ensure that customers that may in the past have got away with inadequate security are fully-protected. Vendors also need to invest in laboratory and field testing IPv6 protocol stacks rigorously, because they have not been exposed to the hacking that IPv4 has faced over 20 years or more of public Internet use.
When it comes to external infrastructure threats, Alcatel-Lucent says that photonic switching has an important role to play by making it harder to intercept data in transit. Photonic switching eliminates the need for conversion between optical and electrical signals at switching and intersect points of a fibre network. These are points of vulnerability because electrical signals are easier to tap through external monitoring devices, while optical signals requite direct interception.
There is great interest in photonics for secure switching at subsea cable landing sites, for example, and also for cross-domain secure video conferencing. Alcatel-Lucent rates itself as among the leaders in photonic switching technology, and is promoting it as part of its solution for a more secure IP infrastructure.
Brocade: dedicated silicon solutions
Brocade is a relative arriviste on the router market. Its view is that DDoS attacks represent the single most significant threat to telco and service provider networks, with the number of attacks – including UDP, ICMP (Ping), SYN flood, Nukes, Ping of Death, Smurfs, Slowloris, and Zero-day (the last classifying unknown or new attacks) – growing in both volume and scale.
Both DoS and DDoS attacks are usually measured by the volume of gigabytes, megabytes, bytes, or packets per second, which are pushed to a particular device in the hope of flooding it to a standstill.
"We have seen very high bandwidth, 100Gbit/s plus attacks increase significantly – by up to 30 per cent – in 2013 and 2014, often peaking at 350Gbit/s," reveals Nick Williams, Brocade's EMEA senior product manager for data centre IP. "It is not new, but different approaches to how those [DDoS] attacks are performed have become apparent."
Brocade has harnessed innovations like software-defined networking (SDN) technology to develop an automated DDoS solution which uses version 1.3 of the OpenFlow protocol. Though ostensibly an analytics application built to optimise network bandwidth use, the Brocade Hybrid OpenFlow approach, or Real Time SDN Analytics for DDoS, can also be used to detect behavioural characteristics coming from security threats, the company says.
Combined with InMon's sFlow-RT (a network-monitoring protocol similar to Cisco's NetFlow and IPFIX), and an OpenDaylight SDN framework, it marks, steers and rate-limits DDoS traffic flows to counter multi-gigabyte attacks and/or block bad traffic before it reaches the site with the advantage of being able to keep forwarding suspect packets even if the physical controller fails. When a DDoS attack is detected, the SDN controller configures an OpenFlow entry which directs traffic to a black hole VLAN or other destination where it can be analysed in more detail.
Brocade also offers hardware-based packet filtering and policy-based routing, which, the company says, can result in improved performance using dedicated FCPGA silicon as well as layer 2-7 traffic monitoring over IPv4, IPv6 and MPLS networks using sFlow. As with other manufacturers' equipment, the company's NetIron MLX/MLXe Series routers also feature a spanning tree protocol (STP) root guard and bridge protocol data unit (BPDU) guard to block hackers launching L2 STP attacks, which disrupt service provider networks by taking over the root bridge.
The company published a guide to basic security hardening of the IronWare operating systems embedded in its enterprise routers and switches, dubbed IronShield Best Practices. This supplements the configuration guides for individual products and covers AAA, RADIUS and TACACS/TACACS+ configuration, password selection and configuration file security, as well as limiting remote access to specific IP addresses using ACLs and VLAN segregation to stop brute force attacks.
Earlier this year Brocade announced new port modules for its MLXe router which support Layer 3 256bit IPSec for IP networks and Layer 2 128bit MACsec encryption within the Ethernet link layer. This allows service providers to encrypt data traversing private MPLS or fibre WAN links, which connect business campus networks to the telco core, or handle traffic between data centres, if not necessarily the public Internet. While it does not protect the router itself from attack, it does bestow an extra layer of security on the data traffic that's passing through the device.
Cisco: hardware security 'bake-in'
If you're a hacker with a penchant for targeting internetwoking routers, and you like to aim high, then technology from Cisco Systems will be in your sights.
Cisco itself concedes that it is having to deal with a fast-growing number of attacks on infrastructure built on its router product lines, reflected, for instance, in an increase in the number of patches issued to fix vulnerabilities identified in its IOS that runs on all its routers, switches, and other networking hardware devices.
Part of the response involves a strategy known unofficially as 'laundering dirty linen in public', otherwise called the Cisco Product Security Incident Response Team (PSIRT) process. This publishes full details of various vulnerabilities as soon as they are identified.
According to Anthony Grieco, principal engineer at Cisco's Threat Research Intelligence and Development (TRIAD), some 60 per cent of the vulnerabilities published by Cisco are found internally, before having any identified impact on customers. All well and good, but this still leaves 40 per cent that are identified only after the vulnerability has been exploited by the baddies, which suggests that Cisco – and router makers in general – need to raise their game in identifying weaknesses in their products and getting patches out quickly.
According to Chester Wisniewski, senior security advisor at IT security specialist Sophos, Cisco is still only on a twice-a-year cycle for software updates and should move to emulate Microsoft, which for many has set the gold standard for rapid and reliable deployment of fixes in the field.
Most analysts would probably agree that market-leader Cisco has done better when it comes to tackling wider threats spanning the whole infrastructure. Grieco points out that the majority of threats are still directed at end-point devices such as PCs, with SOHO (small office/home office) routers more targeted than larger enterprise or Telco systems deeper in the network.
While there have been more threats recently directed against the core Internet infrastructure as well, these are mostly targeting weaknesses at the whole system level, rather than the underlying hardware such as routers, according to Grieco. Such weaknesses can include the management of credentials for those network administrators with privileges allowing them to access and provision infrastructure. Cisco has devoted more resources over the last two years to tackling such higher level architectural or procedural risks, the company says.
Cisco argues that its dominant position means it has both the responsibility and opportunity to do more than some vendors to counter large-scale threats that may be targeted at the infrastructure, such as DDOS attacks. Such attacks can be identified more readily by combining information from multiple nodes and links on a network to identify unusual activity that is indicative that an attack may be unfolding.
Countermeasures may need to be launched quickly, such as control plane policing to identify DDOS traffic and then limit it or eliminate it altogether. This can be set to kick in when any given traffic type exceeds a certain threshold level, but requires coordinated action among multiple routers at the network level.
DDOS is far from the only threat requiring co-ordinated action, with Worms (standalone malware that replicates itself to spread to other computers) remaining a significant threat, according to Cisco, which has responded through its Network-Based Application Recognition (NBAR) classification engine within its Internetwork Operating System software. Worms, unlike viruses, are standalone, and do not require a host program or human help to propagate. They can spread by exploiting vulnerabilities in target systems.
To counter this NBAR applies deep content inspection (DCI) to seek tell-tale signs of worms spanning multiple packets. DCI is a successor to deep-packet inspection, extending it to scan multiple packets to counter more advanced worms and malware that cannot be detected just by inspecting the payloads of individual packets in isolation.
Grieco says that there is an opportunity for collaboration between vendors through standards bodies and initiatives to build distributed security into network hardware so that they act in unison to identify threats and counter them: "We see more situations where security is 'baked-in' from the beginning, as protocols and capabilities are implemented [from the outset]."
Cisco also reports that it has identified a need internally to ensure the integrity of its own IOS software through secure software development. This involves avoiding hooks or points of vulnerability that could be exploited, say by an ex-programmer with an axe to grind, and ensuring that the software is generally robust and well-guarded against anticipated external threats.
Huawei: controversial contender
Many who take an interest in the router industry will know that router security has proved a sensitive issue for Huawei in more ways than one.
In July 2012 German security researcher and head of Recurity Labs, Felix Lindner, found session hijack, heap, and stack overflow vulnerabilities in the Chinese manufacturer's small business and enterprise AR19 and AR29 routers which could be cracked by entering standard, preset passwords and used as a source to amplify the scale of DoS/DDoS attacks. At the same time, the company has recruited no less a personage than John Suffolk, the former chief information officer for the UK government, as its global cyber security officer.
No serious flaws have been reported in the NetEngine NE5000E, NE40E, and NE20E/20 products widely used in telco and service provider Internet backbone, metro core, data centre and ISP networks, however. Online security vulnerability database CVE Details records two vulnerabilities for these three devices, both published in 2013, which have since been updated: one concerning the use of the DES algorithm for stored passwords, which makes it easier for attackers to perform resource or administration attacks (aka, 'brute force' attacks); and another which allows remote authenticated users to discover credentials via an SNMP request.
Following the 2012 criticism, meanwhile, Huawei has made attempts to become more transparent by publishing details of known vulnerabilities on its website.
The US market is closed to Huawei due to suggested government concerns that the Chinese secret service might use Huawei routers as 'back door' covert surveillance tools to gain access to sensitive state and commercial information (Huawei founder Ren Zhengfie was an engineer in the Chinese army before starting the company in 1987). No evidence to suggest this had or could happen ever emerged, however, and Washington may be equally (if not more) concerned that unwanted foreign competition could damage the profits of two of its largest internetworking companies, Cisco and Juniper, however.
Huawei's Versatile Routing Platform OS employs fairly standard local authentication and remote authentication dial-in user service (RADIUS) and terminal access controller access control systems (TACACS/TACACS+) mechanisms as well as Secure Shell (SSH) encryption to guard against unauthorised access from hackers trying to gain control of the router in brute force attacks.
As with other manufacturers, the border gateway protocol (BGP) Flowspec is employed to filter and redirect data traffic in service provider networks to a discard interface. Local mirroring capabilities copy data packets which match pre-defined characteristics to a separate interface for further analysis to prevent disruption to genuine traffic, with whitelists and blacklists based on ACL rules also filtering and separating traffic from high-priority and unauthorised sources.
Huawei also offers an anti-DDoS system (the AntiDDoS8000 Series) designed to protect data-traversing telecommunications and ISP networks from 100 known DDoS attacks and 200 Zombies, Trojans and Worms. The platform offers 'seven layer' filtering for IPv6 as well as IPv4 traffic with an unspecified terminal identification technology pinpointing suspect IP addresses.
Some Huawei routers, including the NE5000E, use the NetStream or IP Flow Information Export (IPFIX) analysis, monitoring and reporting tool - roughly analogous to Cisco's Flexible NetFlow (and subject to accusations of Intellectual Property shenanigans). Like NetFlow, NetStream collects inbound/outbound data at the router interface to analyse security and traffic events, keeping a record of packet source, destination, and class of service, to help with the detection of unusual volumes of suspicious data traffic.
Juniper Networks: CHARM school
Cisco challenger Juniper now identifies DNS (domain name server) DDoS attacks as its primary challenge. DNS servers are used as a source, relay and target to amplify the number of systems that can be comprised simultaneously to channel vast amounts of traffic at a particular device or site, usually via a Botnet or Zombie, which takes control of other systems which then forward large DNS messages to the target en masse.
Basic checks which prevent source spoofing from external or internal resources or customers can partly mitigate the threat. Juniper, however, has also developed a specific product called DDoS Secure to prevent attacks by continually monitoring and logging all inbound/outbound Web traffic using a Closed Heirarchical Association Rule Mining (CHARM) algorithm to analyse the contents of the data packets sent by each IP address to learn if they can be trusted. Suspect or non-compliant data packets can be dropped as soon as the target systems' performance begins to suffer, minimising the effects of the DDoS attack on legitimate traffic.
The BGP Flow Speculation supported on Juniper routers can also be used to filter and redirect BGP traffic in service provider networks to a discard interface, otherwise known as a Remote Trigger Black Hole (RTBF) either for cleaning or deletion.
The rising menace from NTP DDoS attacks, which target the Network Time Protocol servers that synchronise equipment time clocks within the carrier's core and access networks, also use those NTP servers as the source, relay, or target mechanism, to amplify the DDoS attack.
The UDP-based NTP protocol is prone to amplication attacks because it will reply to a packet with a spoofed source IP address with a long reply, which includes the addresses of up to the last 600 machines with which the NTP server last interacted. Mitigation is again handled by Juniper's DDoS Secure platform, which eliminates the need for the service provider to either disable, manually configure, or apply filters to the NTP service.
Resource or administration attacks, which see hackers attempt to gain access to the router's management console by guessing the username and password, can be quick if the authentication details are sufficiently weak or left to the manufacturer default options.
The JunOS operating system uses a range of filters to restrict management and service access, and at time of publication claims there is no known vulnerability to this kind of attack.
"If any is found, by either our internal security team or external sources, a thorough analysis is done and security alerts are sent to our customers to either fix it or mitigate its effect," reports Henrik Davidsson, Juniper's EMEA head of security.
Juniper routers also apply Quality of Service (QoS) mechanisms to protect against attacks on Web services using its WebApp Secure and SRX Datacenter Firewall products, designed to have a 'deeper understanding' of specific Web protocols and the methods used to hack them.
The company maintains that the clear separation between the control plane and the data plane in its SDN network infrastructure equipment makes the router less sensitive to resource consumption attacks such as DoS and DDoS.